Re: DHCPv6-PD -> Lack of route injection in RFC
This method is lacking because you might have several routers eg. using VRRP and the backup router will not learn anything from a relay on the primary. Den 22. sep. 2017 14.02 skrev "Steve Teusch" <steve.teusch@rtr.guru>: I am running into venders that do not support injection of a delegated route when operating as a DHCPv6 relay (or server for that matter). Brocade supports this, but I am not finding this as part of any of the RFC's. This is to deliver home ISP service, so it is very important or return packets won't go to the client unless the route is manually added as a routing protocol is not an option. There should be a MUST activity for this somewhere. Anyone know what gives?
Which method would you recommend as an alternative? -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Baldur Norddahl Sent: Friday, September 22, 2017 11:52 AM This method is lacking because you might have several routers eg. using VRRP and the backup router will not learn anything from a relay on the primary. Den 22. sep. 2017 14.02 skrev "Steve Teusch" <steve.teusch@rtr.guru>: I am running into venders that do not support injection of a delegated route when operating as a DHCPv6 relay (or server for that matter). Brocade supports this, but I am not finding this as part of any of the RFC's. This is to deliver home ISP service, so it is very important or return packets won't go to the client unless the route is manually added as a routing protocol is not an option. There should be a MUST activity for this somewhere. Anyone know what gives?
I know of several methods all flawed in some ways. There seems to be no progress in this obvious lack of a solid easy way to inject routes to match DHCP-PD. We use ExaBGP to inject routes via BGP that matches the configuration that our DHCP server has. But this is non standard and clumsy to implement. Does not work with all CPE routers either. Regards Baldur Den 22. sep. 2017 19.08 skrev "Nicholas Warren" <nwarren@barryelectric.com>: Which method would you recommend as an alternative? -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Baldur Norddahl Sent: Friday, September 22, 2017 11:52 AM This method is lacking because you might have several routers eg. using VRRP and the backup router will not learn anything from a relay on the primary. Den 22. sep. 2017 14.02 skrev "Steve Teusch" <steve.teusch@rtr.guru>: I am running into venders that do not support injection of a delegated route when operating as a DHCPv6 relay (or server for that matter). Brocade supports this, but I am not finding this as part of any of the RFC's. This is to deliver home ISP service, so it is very important or return packets won't go to the client unless the route is manually added as a routing protocol is not an option. There should be a MUST activity for this somewhere. Anyone know what gives?
You know CPE devices are routers. They can tell you what routes DHCP has given them. That annoucement could be cryptographically authenticated. Send a CPE generated public key with the PD request. Generate a CERT for the prefix delegation using those two pieces of information and return it with the prefix delegation. The CPE announces the route using that CERT to sign the announcement to prevent spoofing. Each ISP can be its own CA here if it wants to be or they can tie into the public infrastructure. Mark In message <CAPkb-7AjA1osY8KsUrTfNCX+KQE4b6mhVL8T3v+uxJHr77YVGg@mail.gmail.com> , Baldur Norddahl writes:
I know of several methods all flawed in some ways. There seems to be no progress in this obvious lack of a solid easy way to inject routes to match DHCP-PD.
We use ExaBGP to inject routes via BGP that matches the configuration that our DHCP server has. But this is non standard and clumsy to implement. Does not work with all CPE routers either.
Regards
Baldur
Den 22. sep. 2017 19.08 skrev "Nicholas Warren" <nwarren@barryelectric.com>:
Which method would you recommend as an alternative?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Baldur Norddahl Sent: Friday, September 22, 2017 11:52 AM
This method is lacking because you might have several routers eg. using VRRP and the backup router will not learn anything from a relay on the primary.
Den 22. sep. 2017 14.02 skrev "Steve Teusch" <steve.teusch@rtr.guru>:
I am running into venders that do not support injection of a delegated route when operating as a DHCPv6 relay (or server for that matter). Brocade supports this, but I am not finding this as part of any of the RFC's. This is to deliver home ISP service, so it is very important or return packets won't go to the client unless the route is manually added as a routing protocol is not an option. There should be a MUST activity for this somewhere.
Anyone know what gives? -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Sat, 23 Sep 2017 08:47:32 +1000, Mark Andrews said:
You know CPE devices are routers. They can tell you what routes DHCP has given them. That annoucement could be cryptographically authenticated.
This is, of course, a lot easier if the CPE already has onboard the needed software to do that, or you have the ability to push it out. Is anybody from Comcast or other eyeball network willing to say (even roughly) what percent of CPE is gear they supply, versus gear that people get at Best Buy or Walmart and just plug in, versus (if they can identify it) gear that's been reflashed by clued customers? (Personally, I have a Linksys that's been reflashed with Lede, and is configured to work with what Comcast does at their end, and I'm more than happy to reconfig/reflash with other options if Comcast changes their end. Damned if I know how I'd find out, though, other than debugging my connection going wonky.)
On 9/23/17, 1:51 AM, "nanog-bounces@nanog.org on behalf of valdis.kletnieks@vt.edu" <nanog-bounces@nanog.org on behalf of valdis.kletnieks@vt.edu> wrote:
On Sat, 23 Sep 2017 08:47:32 +1000, Mark Andrews said:
You know CPE devices are routers. They can tell you what routes DHCP has given them. That annoucement could be cryptographically authenticated.
This is, of course, a lot easier if the CPE already has onboard the needed software to do that, or you have the ability to push it out.
Right. How many residential market gateways support any routing protocol at all? How many support RIPv2? How many support RIPng. Being routers does not mean they support any dynamic routing protocol. If I were an ISP, I would be very skeptical of the return on adding routing support to every gateway I supported, plus an RPKI.
Is anybody from Comcast or other eyeball network willing to say (even roughly) what percent of CPE is gear they supply, versus gear that people get at Best Buy or Walmart and just plug in, versus (if they can identify it) gear that's been reflashed by clued customers?
It varies 0-100% based on network, year, and the mood of whoever makes the decision about how to handle CPE. Some ISPs provide a gateway to all of their customers, and some of those customers then put them into bridged mode. (I think Vz FiOS, for instance, always comes with a gateway). Some provide a gateway for free, which may be worth much more or less than you paid for it, depending on the philosophy of the ISP. Some assume you want a gateway and charge you several dollars a month for it. Lee
Isn't this the topic area that the home networking working group was supposed to resolve? On Tue, Sep 26, 2017 at 2:02 PM, Lee Howard <lee@asgard.org> wrote:
On 9/23/17, 1:51 AM, "nanog-bounces@nanog.org on behalf of valdis.kletnieks@vt.edu" <nanog-bounces@nanog.org on behalf of valdis.kletnieks@vt.edu> wrote:
On Sat, 23 Sep 2017 08:47:32 +1000, Mark Andrews said:
You know CPE devices are routers. They can tell you what routes DHCP has given them. That annoucement could be cryptographically authenticated.
This is, of course, a lot easier if the CPE already has onboard the needed software to do that, or you have the ability to push it out.
Right. How many residential market gateways support any routing protocol at all? How many support RIPv2? How many support RIPng. Being routers does not mean they support any dynamic routing protocol. If I were an ISP, I would be very skeptical of the return on adding routing support to every gateway I supported, plus an RPKI.
Is anybody from Comcast or other eyeball network willing to say (even roughly) what percent of CPE is gear they supply, versus gear that people get at Best Buy or Walmart and just plug in, versus (if they can identify it) gear that's been reflashed by clued customers?
It varies 0-100% based on network, year, and the mood of whoever makes the decision about how to handle CPE. Some ISPs provide a gateway to all of their customers, and some of those customers then put them into bridged mode. (I think Vz FiOS, for instance, always comes with a gateway). Some provide a gateway for free, which may be worth much more or less than you paid for it, depending on the philosophy of the ISP. Some assume you want a gateway and charge you several dollars a month for it.
Lee
On Tue, 26 Sep 2017, Blake Dunlap wrote:
Isn't this the topic area that the home networking working group was supposed to resolve?
HOMENET was never looking into running a routing protocol between the ISP and the HGW. It was all about running a routing protocol WITHIN the home, not between the home and the ISP. All the work I saw took for granted there was for instance a DHCPv6-PD lease handed to the home gateway router. -- Mikael Abrahamsson email: swmike@swm.pp.se
VRRP failover and not having the route injected is a good point, although I could mitigate that with a lower lease time a little. I prefer to get V6 working. Plus, its dual stack we are talking about, V4 access is still available. Maybe a VRRP-DHCPv6 relay state table share would be nice to handle that. Although V6 still needs a lot more attention to get to that point. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Baldur Norddahl Sent: Saturday, September 23, 2017 1:52 AM To: nanog@nanog.org Subject: Re: DHCPv6-PD -> Lack of route injection in RFC This method is lacking because you might have several routers eg. using VRRP and the backup router will not learn anything from a relay on the primary. Den 22. sep. 2017 14.02 skrev "Steve Teusch" <steve.teusch@rtr.guru>: I am running into venders that do not support injection of a delegated route when operating as a DHCPv6 relay (or server for that matter). Brocade supports this, but I am not finding this as part of any of the RFC's. This is to deliver home ISP service, so it is very important or return packets won't go to the client unless the route is manually added as a routing protocol is not an option. There should be a MUST activity for this somewhere. Anyone know what gives?
participants (8)
-
Baldur Norddahl
-
Blake Dunlap
-
Lee Howard
-
Mark Andrews
-
Mikael Abrahamsson
-
Nicholas Warren
-
Steve Teusch
-
valdis.kletnieks@vt.edu